In order to enable an iCal export link, your account needs to have an API key created. This key enables other applications to access data from within Indico even when you are neither using nor logged into the Indico system yourself with the link provided. Once created, you can manage your key at any time by going to 'My Profile' and looking under the tab entitled 'HTTP API'. Further information about HTTP API keys can be found in the Indico documentation.

I have read and understood the above.

Additionally to having an API key associated with your account, exporting private event information requires the usage of a persistent signature. This enables API URLs which do not expire after a few minutes so while the setting is active, anyone in possession of the link provided can access the information. Due to this, it is extremely important that you keep these links private and for your use only. If you think someone else may have acquired access to a link using this key in the future, you must immediately create a new key pair on the 'My Profile' page under the 'HTTP API' and update the iCalendar links afterwards.

St-Francois

Fairmont Queen Elizabeth

DNS-OARC's Fall 2015 Workshop was co-located with the NANOG 65 meeting in Montreal and sponsored by:

Gold and Social Sponsor

Bronze Sponsor

DNS-OARC Workshop meetings are open to OARC members and to all other parties interested in DNS operations and research, with NANOG and ARIN attendees particularly welcome this time around. Attendance is free for OARC Members, Speakers and Sponsors. There are charges for other attendees and late registrations.

Hochelaga 1

Fairmont Queen Elizabeth

St-Francois

Fairmont Queen Elizabeth

900 René-Lévesque Blvd W
Montreal, QC H3B 4A5
Canada

Convener:
Paul Ebersman
(Comcast)

14:00

An Overview of DNS Privacy Mechanisms30m

As part of the IETF's efforts to secure all protocols against pervasive surveillance, several privacy enhancements to the DNS are actively being developed with prototype implementations of such enhancements also emerging. This talk will provide a technical description of these mechanisms as well as deployment challenges and related considerations. Topics to be covered will include query-name minimization, DNS over TLS/DTLS and other encryption proposals, payload padding, etc. We will also cover related efforts to minimize leakage of DNS names in other protocols.

This talk will focus on the existing prototype implementations of DNS-over-TLS and dive into some of the finer points of using TLS in
practice. This will include authentication issues, performance considerations, TCP connection management, DoS mitigation and a demonstration. It will also discuss the current best practices for using TLS in applications and the upcoming developments in TLS 1.3.

Speaker:
Sara Dickinson
(Sinodun IT)

Slides

15:00

Next Steps in DANE Adoption30m

This talk will discuss upcoming and future steps envisioned to increase the adoption of DNSSEC and DANE (DNS-based Authentication of Named Entities) by Internet applications. It will start by providing an overview of the current state of adoption of DANE, and then discuss challenges faced by some application communities and some applications for which DANE doesn't yet provide a solution. Among the topics covered will be a proposed new TLS extension to allow servers to deliver a DANE record and the associated DNSSEC chain to clients, a mechanism to allow the use of TLSA records for client authentication, and others.

Speaker:
Mr.Shumon Huque
(Verisign Labs)

Slides

15:30
→
16:00

Afternoon Coffee Break
30m
St-Francois

St-Francois

Fairmont Queen Elizabeth

900 René-Lévesque Blvd W
Montreal, QC H3B 4A5
Canada

16:00
→
17:50

Public Workshop: Benchmarking TrackSt-Francois

St-Francois

Fairmont Queen Elizabeth

CZ.NIC Labs created and continues to actively develop Knot DNS authoritative DNS server. The development team puts substantial effort into optimizing the server performance and searching for new optimization opportunities. So we created a DISTEL-based lab for benchmarking not only our server but for comparing many different authoritative DNS servers and versions.
The presentation shows our method for collecting data, explain statistics that we use for testing hypotheses about the server performance and presents results for Knot 2.0 and others with regard to mixed DNSSEC and non-DNSSEC traffic.

Speaker:
Mr.Tomas Hlavacek
(CZ.NIC, z.s.p.o.)

Slides

16:30

Impact of unknown EDNS options on the DNS15m

The EDNS (Extension mechanisms for DNS) protocol allows us to add new features to DNS that were not envisioned when DNS was originally specified. DNSSEC, Client-subnet Identifier and DNS cookies are applications that use EDNS.
It appears from ISC's testing that a significant percentage of sites that support EDNS do not respond well to unknown EDNS options. The failure mode can be as severe as disabling EDNS (breaking DNSSEC). We are reluctant to encourage the use of new EDNS options until there is better tolerance for unknown EDNS options in the DNS. We would like to raise awareness of the issue, and find out what the community thinks we should do to address it.
This presentation will review the [results of our testing][1] and the current EDNS failure modes we see, and explain how to [test your own site][2] for compliance.
[1]: http://ednscomp.isc.org/
[2]: http://ednscomp.isc.org/ednscomp

Speaker:
victoria risk
(isc)

Slides

16:45

Benchmarking and profiling DNS systems with modern Linux tools15m

This talk will outline the use of tools from the netsniff-ng toolkit and the Linux kernel along with a home-grown benchmark harness to characterize UDP DNS performance. These tools operate very differently from "traditional" utilities like dnsperf/resperf and produce very different results, possibly contradicting conventional wisdom that UDP on Linux is slow.

Speaker:
Robert Edmonds
(Farsight Security, Inc.)

Slides

17:00

Impact of DNS over TCP - a resolver point of view30m

Using traffic captured at two different ISP's recursive resolvers we analise the potential impact on the servers of long lived TCP sessions, investigating the effect of timeout settings, the total number of simultaneous connections that would be kept open and the potential benefits of connection reuse as proposed in the current version of draft-ietf-dnsop-5966bis, with the intent of offering simulated operational advice, based on observerd traffic.
The study looks at the impact on the recursive server as it queries authoritative servers as well as while it talks to stubs, two very different aspects of the life of a recursive server.

Speaker:
Mr.Joao Luis Silva Damas
(Bond Internet Systems)

Slides

17:30

Idea: DNS over QUIC / zone transfer over QUIC or TLS/TCP15m

The presentation discusses just an idea
about DNS over QUIC and zone transfer
over QUIC or TLS/TCP.
The third transport of DNS may be QUIC.
Both DNS and QUIC use UDP and port 53/UDP may be possible to share.
(If possible, implementation status will be reported, but it seems hard.)
And zone transfers may be performed over QUIC or TLS/TCP transport with
server certificate authentication.

5th Floor

Pandore

St-Francois

Fairmont Queen Elizabeth

900 René-Lévesque Blvd W
Montreal, QC H3B 4A5
Canada

Convener:
Mr.Sebastian Castro
(NZRS)

09:00

OpenDNS; Managing DDoS Attacks30m

Open resolvers will always be a target for abuse either as an attack amplification point or as a mask of the attack source. This presentation discusses the measures that OpenDNS has put in place to ensure that their open resolvers contribute towards reducing or blocking DDoS attacks. It goes on to discuss future plans to identify limit or block DoS sources.

This Abstract describes the concepts, the development and the functionalities of the DENIC DNS Countinuous Integration and Deployment Pipeline. Furthermore the advantages you could receive through this technics and automated testing. More informations will follow in the summary form.

DNS ANY queries are a source of controversy and strong feelings. In practice ANY queries are used for debug purposes, but are frequently abused in amplification attacks, as they give the best amplification factor. In some non-traditional DNS authoritative servers the cost of answering ANY queries can be high due to multiple DB lookups and dynamic records.
Once in a while someone thinks that using ANY query is a good way to reliably get all RRsets in one query, frequently without understanding the semantics or implications.
We have explored a number of alternatives to answer ANY queries without breaking any deployed systems, and at the same time discourage the use of ANY query.
In this talk we will cover the alternatives and present our solution to a cacheable, non-breaking “negative” answer to ANY queries.

Speaker:
Mr.Ólafur Guðmundsson
(CloudFlare Inc.)

Slides

10:30
→
11:00

Morning Coffee Break
30m
St-Francois

St-Francois

Fairmont Queen Elizabeth

900 René-Lévesque Blvd W
Montreal, QC H3B 4A5
Canada

11:00
→
12:30

Public Workshop: Data AnalysisSt-Francois

St-Francois

Fairmont Queen Elizabeth

900 René-Lévesque Blvd W
Montreal, QC H3B 4A5
Canada

Convener:
Mr.Sean Stuart
(Verisign)

11:00

Internet Performance Impacts of Canadian Content Hosting30m

In addition to driving ccTLD growth, a strong national content hosting industry improves consumer experience by making content faster, cheaper, and more accessible. Ironically, the existence of a large content-hosting industry next door has tended to artificially reduce the percentage of both Canadian and Mexican content that is domestically hosted.
In this talk, we'll examine the most popular domains in Canada (using Alexa ranking data), as well as the much broader spectrum of domains hosted in .CA. We'll utilize BGP routing and IP geolocation to assess the geographies and key providers that support Canada's current state of domestic versus international content placement. Beyond this basic census, we'll also examine some of the potential performance impacts of nonlocal hosting on content consumers in both Eastern and Western Canada.

Speakers:
Jim Cowie
(Dyn, Inc.), Matt Larson
(Dyn, Inc.)

Slides

11:30

DNS big data analytics30m

#Introduction
As the operator of the .nl ccTLD, SIDN is very interested in keeping the .nl zone as safe as possible.
Analyzing the query data can help to detect cybercrime activity in the .nl zone which we can than try to cleanup.
Traditional DNS query data analysis done by storing data as PCAP's and analyzing them with tools such a tshark and wireshark is often a slow and painful process.
When storing DNS query data as PCAP files makes you will quickly run into performance and scalability problems.
Most tooling used to analyze PCAP's is single threaded and has limited or no sql compatibility.
What is required is a system which can cope with large volumes of PCAP data and still offer good query performance.
That's why SIDN developed a DNS big data platform called ENTRADA, this platform is built on top of the Hadoop stack using open source technology.
DNS query data from our authoritative name servers is stored on this platform and can be analyzed using multiple interfaces and languages.
The system supports SQL, which means that anyone with SQL knowledge can quickly start analyzing the query data.
Currently the database contains over 64 billion DNS queries, each day some 130 million new queries are added and this number will grow as we hook up more name servers.
In this presentation I will be talking about system design, use cases and our experiences.
#Platform design
The platform at SIDN is used by the R&D team and is quite small (5 nodes)
The costs of setting up such a cluster are very modest, the main components are as expected hardware and people.
The hardware does not have to be enterprise grade and much of the required knowledge is available for free online.
Adding more storage and compute capacity is as simple as adding more disk drives or servers.
The cluster storage capacity at the moment is about 100 billion DNS queries and this data can be queried very efficiently. Depending on the type
of query and number of data partitions that have to be scanned, most queries will return a result within seconds.
#Privacy
Privacy is an important aspect when collecting DNS data, because the query data might reveal personal information about the users who are sending DNS queries.
The IP address of a client can in some cases be used to identify and track users (for a home user operating a private resolver, or for small shared resolvers)
We designed a novel privacy framework (1) because it introduces privacy management to the use of DNS data
and (2) because, to that end, it integrates legal, organizational and technical aspects of privacy management.
This is described in our paper: https://www.sidnlabs.nl/uploads/tx_sidnpublications/SIDN_Labs_Privacyraamwerk_Position_Paper_V1.4_ENG.pdf
#Workflow
The time it takes from a query being received on the name server until it is available in the database for analysis is just a couple of minutes.
The steps involved are:
- get pcap data every x minutes from NS
- PCAP conversion
- enrichment of data
- storage
- query!
#Storage
There are a lot of different storage technologies, we chose to use the Parquet format to encode the data and Hadoop HDFS as a distributed storage layer.
This part explains why Parquet is such a good fit for storing DNS data.
- Why we chose Parquet
- Size difference ( pcap vs parquet, total database size)
- How do you convert pcap data to parquet (write parquet with Avro schema (KiteSDK))
- Parquet format can be read by Impala but also by Spark, this makes it very flexible.
#Query engines and interfaces
The data stored in the system can be access through multiple query engines and interfaces.
The support workloads from a simple sql query to advanced graph and machine learning jobs.
Impala/Impyla (SQL engine)
Spark (SQL/Graph/Machine learning engine)
Hue (SQL web interface)
Jupyter (python notebook)
#use cases
Focused on increasing the security and stability of .nl
- DNS security App (visualize traffic patterns for phishing domain names)
- Botnet detector (detect botnet infections and report these to abuse information exchange (https://www.abuseinformationexchange.nl/english))
- Real-time Phishing domain name detection
- Statistics dashboard (stats.sidnlabs.nl)
- Scientific research (collaboration with Dutch Universities)
- Ad-hoc operational analysis (quick analysis of current issues in the DNS)
#experiences
Our experiences in working with this data:
So much work to be done when this data is available, we hired an additional Data scientist.
Future work:
- Combine passive data from .nl authoritative name server with active scans of the complete .nl zone and ISP data.
- Adding more name servers and resolvers.
- Open data interface
#Summary
1. We believe that our choice of technology combined with our privacy framework is quite novel.
2. Our setup proves that a big data platform can start small with limited costs and still be powerful.
3. We provide the rational behind our architectural decisions with regards to tools, workflow and data formats
for storage.
4. We provide example use cases of what is possible when this data is available for analysis.

Speaker:
Mr.M Wullink
(SIDN)

Slides

12:00

Cluster the long tailed domains base on passiveDNS.cn15m

Cluster the DNS domains is a basic but very important work in analyzing the dizzy businesses of the Internet. Only based on the accurate clustered domain result, we can discern and analyze all kinds of DNS data. Now, most of the works focus on the domain structure and hoping finding the relationships among kinds of domains. Recently, based on the largest public passiveDNS database in China, we are exploring some new but beneficial ways on cluster the long tailed domains(based on some filter rules). Except the domain structure, we add two dimensions: client and server data. Introduce the real data of up-down stream is a big extension, of course it's more accurate. From the test result, the two dimensions is helpful in clustering the domains and finding the both benign and malicous domain communities.

Speaker:
Mr.zaifeng zhang
(QIHOO 360)

Slides

12:15

Publishing zone scan data using an open data portal15m

NZRS has been running zone scans on a monthly basis over the active .nz domain names for the past two years. We are using dnscheck with custom changes to collect DNS health information, as well as IPv6 deployment metrics. The data is of no use if it can't be made readily available to interested parties.
To sort this out, NZRS will start using an open data portal provided by Socrata to allow open access to the zone scan and other datasets about the registry operations. The data portal will allow to download the data, but also to explore it in a visual way.
This presentation will cover
- Methodology and infrastructure to run the zone scan
- Overview of the data collected
- Introduction to the open data portal (possibly a demo)
- Some interesting findings.
Time required: Ideally 30 minutes, but can be adjusted to be a lightning talk.

Speaker:
Mr.Sebastian Castro
(NZRS)

Slides

12:30
→
14:00

Lunch
1h 30m
Hochelaga 1

Hochelaga 1

Fairmont Queen Elizabeth

13:00
→
14:00

PGP Signing Session1hSt-Francois

St-Francois

Fairmont Queen Elizabeth

900 René-Lévesque Blvd W
Montreal, QC H3B 4A5
Canada

Speaker:
Mr.Mauricio Vergara Ereche
(ICANN)

notes

PGP Keyring

14:00
→
15:30

Public Workshop: Root Data AnalysisSt-Francois

St-Francois

Fairmont Queen Elizabeth

900 René-Lévesque Blvd W
Montreal, QC H3B 4A5
Canada

Convener:
Mr.Mauricio Vergara Ereche
(ICANN)

14:00

A study of caching behavior with respect to root server TTLs30m

The Root Server System Advisory Committee (RSSAC) within ICANN was recently tasked with considering the extent to which the current root zone TTLs are appropriate for today's Internet environment and the impacts of root TTL alterations on the wider DNS system. The historical DITL data from 2014 and 2015 was analyzed for trends in TTL adherence, answering some of the following questions: To what degree do root zone TTLs matter? Is there a difference in behavior for authoritative versus non-authoritative data? Do all TLDs exhibit similar inter-query time distributions? Do specific recursive implementations, ISPs, open resolvers, etc. diverge from general TTL adherence trends? How has inter-query time changed over the past two years? Would a change in root zone TTLs result in a change in traffic levels at root name servers?

Speakers:
Duane Wessels
(Verisign), Matthew Thomas
(Verisign)

Slides

14:30

F-root Anycast Research using RIPE Atlas30m

ISC has been using data routinely collected by every RIPE Atlas node to research the effectiveness of F-root's current transit and peering arrangements.
The presentation will show how visualisation of this data can identify issues that should be resolved, along with "before and after" pictures showing the effect of changes that we already made to our routing configuration based on this analysis.

Speaker:
Mr.Ray Bellis
(Internet Systems Consortium, Inc.)

Slides

15:00

Thirteen Years of "Old J Root"30m

Thirteen years ago Verisign renumbered j.root-servers.net so that it could be anycasted. Since that time, we have been continuing to answer queries sent to the old IP address. We have also been collecting some data on queries to old J-root.
In this presentation we will explore such questions as: what do we know about the clients of old J-root? Do they overlap with clients of the real J-root? Are there noticeable differences in traffic characteristics (e.g., EDNS, DNSSEC, query types) between the two? Does old J-root traffic fluctuate in the same way as real traffic? When real J-root gets attacked, does old J-root also get attacked? If so, can this be used to identify attacks coming through recursive name servers?

Speaker:
Duane Wessels
(Verisign)

Slides

15:30
→
16:00

Afternoon Coffee Break
30m
St-Francois

St-Francois

Fairmont Queen Elizabeth

900 René-Lévesque Blvd W
Montreal, QC H3B 4A5
Canada

16:00
→
17:45

Public Workshop: Resolvers TrackSt-Francois

St-Francois

Fairmont Queen Elizabeth

900 René-Lévesque Blvd W
Montreal, QC H3B 4A5
Canada

Convener:
Duane Wessels
(Verisign)

16:00

Analyzing the distribution of DNS clients to recursive name servers across the Internet30m

As a byproduct of our web-based Real User Monitoring (RUM) agent, Dyn obtains the IP addresses of individual hosts running web browsers all over the world as well as the IP addresses of the recursive servers queried by those hosts. We have analyzed a rich data set of over 110 million client IP address-to-recursive IP address mappings to research an area of DNS that we believe has not been sufficiently studied. For example, what is the distribution of the number of clients per recursive server? Where are clients located relative to the recursive servers they use, both from a geographic as well as network topological perspective? What query patterns do individual clients follow if they use multiple recursive servers? We report on these and other interesting findings.

Speaker:
Matt Larson
(Dyn, Inc.)

Slides

16:30

Real World Impacts of EDNS Client Subnet30m

Client Subnet offers the ability to offer better geolocation of end-users via DNS responses. This talk will concentrate on what happens when Client Subnet is enabled on a public resolver. It will look at upstream traffic patterns, cache performance, and other factors that come into play with Client Subnet. At the end of this talk, DNS providers should have a better idea of how Client Subnet will impact their performance & network.

Speaker:
Brian Hartvigsen
(OpenDNS)

Slides

17:00

dnstap-whoami: one-legged exfiltration of resolver queries15m

A few existing "whoami" or "dnsecho" authoritative DNS services allow for limited extraction of information about the resolver to the original client that would normally be hidden. For example, querying an anycasted resolver like 8.8.8.8 with the command "dig @8.8.8.8 whoami.akamai.net" will return an address record revealing a unicast initiator address used by the anycast service. This is "one-legged", because the original client only has visibility into the stub/recursive "leg" of the DNS interaction. The DNS-OARC porttest tool is another example of a "one-legged" service.
Similarly, many DNS research projects use special purpose zones with instrumented nameservers which capture incoming query packets for analysis. For example, scans for open recursive DNS servers typically control both the stub/recursive "leg" and the recursive/authoritative "leg" and are thus "two-legged". This requires a more heavyweight investment but results in a richer set of data.
This talk will demonstrate an enhanced "whoami" authoritative DNS server that can exfiltrate more detailed information about the recursive/authoritative interaction to the original client, including the complete resolver query packet sent to the authoritative server, using the dnstap format to compactly tunnel structured information which can be decoded by the original client.

Speaker:
Robert Edmonds
(Farsight Security, Inc.)

Slides

17:15

Happy DNS Eyeballs?30m

Much work has been undertaken in the browser world to produce the so-called "Happy Eyeballs" outcome. This is an outcome where the client will detect if the service is a dual stack service and if so then use a connection process that slightly biases the client in favour of using IPv6 as the transport for the DNS. What evidence is there for a similar mode of behaviour of DNS resolvers? This presentation will report on a large scale measurement experiment that was intended to expose the protocol behaviour of resolvers and determine whether they have any protocol selection bias.